Hi Ivan,
Thank you for the reference, didn't see the tool, as I'd been using uboot v2023.04. These are all recent improvements, sign option in binman and fdt_add_pubkey tool. Nice!
Not part of this request, but in an ideal world :), it would be just a matter of putting private/public keys in let's say /keys directory, and if signing is enabled in spl or the second stage uboot, the make would produce a binary with expected chain of trust. Yes I know, how the saying goes: "It is simple but not easy".
Who knows, one day my dream may come true. Meanwhile I will do it in an old school way, scripting. :)
Cheers, Andy
On Thu, Apr 27, 2023, 16:41 Ivan Mikhaylov fr0st61te@gmail.com wrote:
On Wed, 2023-04-26 at 15:29 -0600, Simon Glass wrote:
Hi Andy,
On Wed, 26 Apr 2023 at 12:49, Andy Pandy andypandy123g@gmail.com wrote:
Hi there,
First of all, I would like to thank you for the tool, I like it a lot.
Great!
I've been trying to sign uboot by placing signature section into configurations section. Something like:
{ algo = "sha256,rsa2048"; key-name-hint = "dev"; sign-images = "fdt", "loadables"; }
But I can't find how to sign the second stage uboot, and integrate the public key into uboot spl device tree with binman. Prior to binman I used mkimage to do that, as follows:
mkimage -f uboot.its -K u-boot.dtb -k ./keys -r image.fit
Could not find it in the documentation, I only saw pre-load, but I am not sure that this is what I am looking for.
Would appreciate if you could give some hint on how this could be done.
Thank you for your help
+Ivan Mikhaylov
I believe that 'binman sign' does this:
https://u-boot.readthedocs.io/en/latest/develop/package/binman.html#signing-...
Regards, Simon
Andy, also you can look at tests there as examples
https://github.com/u-boot/u-boot/blob/288fe30a2367b8d0e3f416493150a38ebaa884...
You can add pubkeys with fdt_add_pubkey utility also if you need just that.
Simon, maybe I need to add possibility to add pubkeys via binman sign, what do you think?
Thanks.